The wrapper locks itself into secure_noroot and secure_nosuidfixup
mode using the prctl() system call. Then, it executes its first argument
(ssh), passing the remaining arguments to the newly executed program,
ssh. Compile capwrap, and copy it into /sbin:

# gcc -o capwrap capwrap.c -lcap
# cp capwrap /sbin/

Then, edit /etc/init.d/sshd to execute capwrap. Find the start() function,
and place /sbin/capwrap in front of the line that actually executes
sshd. That line then becomes:

/sbin/capwrap $SSHD $OPTIONS && success || failure

Of course, sshd will require some privilege to change userid and groupid
among other things. Being lazy, for now, just set all
capabilities using the command:

hallyn@kvm# setcap all=ei /usr/sbin/sshd

If you try restarting sshd right now, you'll be met with a silent failure.
Instead, try this to start it by hand and see debugging output:

debug1: permanently_set_uid: 74/74
permanently_set_uid: was able to restore old [e]gid

sshd is complaining that it is able to restore its uid after switching
to uid 74 (the ssh userid). This is problematic. Because you locked ssh
into nosuid_fixup mode, switching from uid 0 to a non-0 uid does not
clear out pE automatically. This means the process keeps CAP_SETUID and
CAP_SETGID, so it is able to reset itsuid to 0 at any time.

The right solution is to modify the sshd source to separate the privilege
handling from the userid handling. But, for this experiment, let's just
stop sshd from complaining! It is wrong, but perhaps not quite as bad
as it seems, because when sshd executes the user's login shell, pP and pE
will be recalculated anyway.

Download opensshd_caps.patch (see Resources), and use the following
steps to apply the above patch:

The root userid now carries no privileges, but the system still requires
administration. That requires privilege. So, let's define several
partially privileged users. At login, each will receive inheritable
capabilities sufficient to achieve some task. Working out the most
useful combinations of capabilities to assign to select users is an
interesting exercise, but for now let's focus on three users: netadmin,
which can change network settings; useradmin, which can add and delete
users, kill their processes and modify their files; and privadmin,
which can change file capabilities and users' inheritable capabilities.

privadmin may set file capabilities (cap_setfcap), so make him
the owner of the capabilities.conf file, so he can set pI for
users. useradmin can manipulate other users' files and processes. netadmin
remains unchanged. (Note, privadmin can give himself whatever privilege he
wants. A good audit policy and a limited tool for editing capability.conf
would help mitigate that risk.)

You also need to set some inheritable file capabilities on system
administration utilities to grant these users privilege. Listing
2 shows a small list to get started. For brevity, let's just assign
all capabilities to the inheritable set. You can apply these using the
script in Listing 3 using sh loopcaps.sh
admincaplist. Finally, you'll
need to let useradmin execute useradd using chmod o+x
/usr/sbin/useradd.